Over the past month, we've seen a reemergence of the Shamoon malware, primarily affecting businesses in Saudi Arabia. In this post, we'll take a look at a recent Shamoon sample to see how it works and how Sky ATP's deep analysis engines catch it.
The Hidden Payload
We start by observing that Shamoon has three bitmap images stored as resources within its executable file.
All three bitmaps look random(ish). A file that appears truly random could be the result of a strong encryption, perhaps a block cipher like AES or a stream cipher with a long, non-repeating key. However, when we look closer, we see what appear to be some patterns in the data:
The partial repetitions suggest a stream cipher with a short encryption key, causing a pattern to emerge over sections of the underlying plaintext that are fairly constant (often all 0's). From this we can deduce the key length from the pattern's period and perhaps (if there are exact repetitions of the entire pattern) recover the entire key. However, we need not bother with cryptanalysis; in this case, we can let the malware do the heavy lifting for us. In the disassembled binary, we find the following:
The first block of code finds where the bitmap resources have been loaded into memory. The second part, beginning at the loc_401A10 label, is a loop containing a simple xor stream cipher. Using a debugger, we can extract both the keys and the decrypted contents, which turn out to be executable files carrying the payload of this attack.
Persistence and Evasion
On first launch, Shamoon runs but immediately quits, never reaching the decryption code above. Instead, Shamoon has quietly installed itself as a persistent service.
Here we see that the program is relaunched automatically in the background as the "Microsoft Network Realtime Inspection Service," with the command-line parameter "LocalService". After sleeping for several minutes to avoid detection, it decrypts two of the bitmaps above and writes the decoded executable files to disk. One of these is netinit.exe, a remnant of the previous Shamoon campaign. While this was originally the component that communicated with a command-and-control server, in the current incarnation it only communicates with 220.127.116.11, which serves as a harmless placeholder. The other binary is written to a Windows system directory with a name randomly chosen from a set of names mimicking Windows system files: fsutl.exe, sigver.exe, sacses.exe, etc.
Launching these two dropped files begins the real attack. Contained within the second executable is the EldoS RawDisk library, a legitimate piece of software that allows direct low-level access to the hard drives. On 32-bit Windows XP, the master boot record is overwritten, leaving the system inoperable. On 64-bit Windows 7, the master boot record isn't damaged, but the media files on the computer are overwritten with the image of the body of a Syrian boy -- obscured in the screenshot below -- suggesting possible political motivations for the attack.
After this, the computer is rebooted automatically, and upon reboot all media files have been erased.
Though rules/hash-based antivirus engines initially missed the updated Shamoon variants, Sky ATP successfully detects and blocks Shamoon. The static analysis and dynamic analysis (sandboxing) stages of our deep analysis pipeline extract a number of useful features from both the executable file and its runtime behavior, based on which Sky ATP's machine learning engine correctly classifies Shamoon as malicious.